Insights from the office for civil rights

An inside look at the results of the first random HIPAA compliance audits.

The entire industry has been clamoring for information from the first 20 recipients of the random HIPAA compliance audits started last winter. While we have seen peeks into the process – the letter that starts the audit and even the documentation list that entities have to respond to during the first 10 days – little has actually been divulged with respect to how these organizations performed. That changed as of June 7 when Linda Sanches, OCR lead for the audit program and a senior privacy advisor, provided an inside look at the results of the first audits and some of the findings/statistics that they have put together (2012 HIPAA Privacy and Security Audits, June 7, 2012, at the 2012 NIST/OCR Annual Conference, Washington, D.C.). Her presentation – which included nearly 15 slides providing pie charts, bar graphs and bullets describing the findings – can be used to inform others’ readiness. Takeaways can be had in three areas of readiness: general, privacy and security.

In the general readiness category, it is safe to say that the results of the audits spelled out the need to have well-articulated and fully integrated privacy and security programs. You cannot get ready for this audit when you’re notified; you need to be ready prior to notification. When evaluating your readiness, focus on the four “Cs”:

Completeness: Do we have all policies, procedures, forms, etc. that we need to implement privacy and security effectively?

Compliance: Are all aspects of compliance addressed adequately?

Currency: Are all policies, procedures, forms, etc. up to date and current with respect to review?

Consistency: Is there alignment between policies, procedures, practices and the documentation that can be produced to demonstrate compliance?

The audit process follows closely the Generally Accepted Government Audit Standards, and is therefore very demonstration focused, making that last “C” arguably the most important to get right – and a major focus of readiness preparations.

The takeaway on privacy readiness is to pay attention to detail. The results from the first 20 audits did not illuminate any clear trends or prominent areas of deficiency. There were consistent deficiencies across the board with all organizations. Privacy compliance is very process driven and documentation centric; organizations need to encourage discipline in following use and disclosure practices and audit regularly to assure consistent performance.

The security view was very different from privacy in that there were definite trends and areas of deficiency evident in the audit results. Sanches identified nine high-instance areas of deficiency, which included risk analysis, managing user access, incident response, contingency planning, media reuse and disposal, encryption, auditing, authentication and physical safeguards. Eighty percent of the security issues identified were attributed to providers, and nearly two-thirds of those to the largest providers audited. Larger, more-complex environments understandably have greater compliance challenges. That should not be a surprise to anyone who has tried to secure information in a large, sophisticated environment. What it reinforces, though, is that greater attention and priority is going to have to be given to investing in the technology that enables IT organizations to meet their compliance requirements. Nearly half of all audited did not have good practices for auditing user activity. Approximately one-third did not have adequate contingency plans to assure proper restoration of systems or data.

Overall, the audits are starting to shape a perception of readiness in the industry that is not much different than what has been reported through various surveys and studies performed over the last few years. The difference is these audits are providing more of an objective, empirical, evidenced-based assessment of compliance, which will no doubt capture the attention of many if it remains consistent through the remaining 95 audits that will be conducted during the rest of this calendar year. General observations – such as privacy and security programs are not receiving sufficient priority, organizations are still failing to implement appropriate and ongoing risk analysis, and management of third-party risks – remain issues sure to receive ongoing attention. The challenges are different for both small and large providers, and from providers to other covered entities. Hopefully, the analytical effort at the end of these initial audits will provide not only some clarification into just where the industry is, but also, more importantly, some helpful pointers to areas where the right emphasis can really make a difference.

About the author

Mac McMillan is co-founder and CEO of CynergisTek Inc. For more on CynergisTek, click here.